Article ID: 2214

Creation and Configuration of MAC Based Access Control List (ACL) on WAP121 and WAP321 Access Points

Objective

An Access Control List (ACL) is a collection of permit and deny conditions, called rules, that provide security and block unauthorized users and allow authorized users to access specific resources. The ACL can block any unwarranted attempts to reach network resources. MAC ACL is a Layer 2 ACL. The network device inspects the frame and checks the ACL rules against the content of the frame such as the source and destination MAC address. If any of the rules match the content, a permit or deny action is taken on the frame.

This article explains how to create and configure MAC ACL on WAP121 and WAP321 Access Points (WAP).

Applicable Devices

• WAP121
• WAP321

Software Version

• 1.0.3.4

Creation of MAC based ACL

Step 1. Log in to the Access Point Configuration Utility and choose Client QoS > ACL. The ACL page opens:

Configuration of a Rule for MAC based ACL

Step 2. If a new rule has to be configured for the selected ACL, choose New Rule from the Rule drop-down list; otherwise, choose one of the present rules from the Rule drop-down list.

Note: A maximum of 10 rules can be created for a single ACL.

Step 3. Choose the action for the ACL rule from the Action drop-down list.

• Deny — Blocks all traffic that meets the rule criteria to enter or exit the WAP device.

• Permit — Allows all traffic that meets the rule criteria to enter or exit the WAP device.

Note: Steps 4 to 11 are optional. Filters that are checked are enabled. Uncheck the check box for the filter if you do not want it to apply to this specific rule.

Step 4. Check the Match Every Packet check box to match the rule for every frame or packet regardless of its contents. Uncheck the Match Every Packet check box to configure any of the additional match criteria.

Timesaver: If Match Every Packet is checked then skip to Step 12.

Step 5. Check the EtherType check box to compare the match criteria against the value in the header of an Ethernet frame. If EtherType check box is checked, click one of these radio buttons.

Step 8. Enter the source MAC address mask in the Source MAC Mask field that specifies which bits in the source MAC to compare against an Ethernet frame. If the MAC mask uses a 0 bit, then the address is accepted, and if it uses 1 bit, then the address is ignored.

Step 10. Enter the destination MAC address mask in the Destination MAC Mask field that specifies which bits in the destination MAC to compare against an Ethernet frame. If the MAC mask uses a 0 bit, then the address is accepted, and if it uses a 1 bit, then the address is ignored.

Step 11. Check the VLAN ID check box to compare the VLAN ID against an Ethernet frame. Enter the VLAN ID which ranges from 0 to 4095 in the VLAN ID field.

Note: For information on how to create a new VLAN, refer the article Configuration of Management and Untagged VLAN IDs on WAP121 and WAP321.